|
||||||
|
Debian is participating in the Google Summer Of Code (or Winter if you are in the southern hemisphere). It would be good if we could get a SE Linux related project in. If you are interested in doing some SE Linux work (or other security related work) in this regard then please let me know. […] The book SE Linux by Example has been reviewed on Slashdot. The issue of Perl scripts was raised for discussion. It is of course true that a domain which is permitted to run the Perl interpreter can perform arbitrary system calls – it can therefore do anything that SE Linux permits that domain to do. […] Creating a simple SE Linux policy module is not difficult. audit(1173571340.836:12855): avc: denied { execute } for pid=5678 comm=”spf-policy.pl” name=”hostname” dev=hda ino=1234 scontext=root:system_r:postfix_master_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file For example I had a server with the above messages in the kernel message log from the spf-policy program (run from Postfix) trying to run the “hostnme” program. So I […] Ulrich Drepper has written a good web page about text relocation which is most often noticed as execmod failures reported when running SE Linux. When an AVC message reports a failure of execmod against a shared object it means that the object has text relocations (the shared object code writes to code that it executes […] The issue of core file management has come up for discussion again in the SE Linux list. I believe that there are two essential security requirements for managing core files, one is that the complete security context of the crashing process is stored (to the greatest possible extent), and the other is that processes with […] While reading the discussion of Vista security on Bruce Schneier’s blog it occurred to me that comparing the issues of DRM that face MS with the issues faced by SE Linux developers provides some benefits. SE Linux is designed to enable the owner of a computer to effectively enforce security policies to protect their system […] A few days ago I installed Debian/Etch on my Thinkpad. One of the reasons for converting from Fedora to Debian is that I need to run Xen and Fedora doesn’t support non-PAE machines with Xen. Ironically it’s hardware supplied to me by Red Hat (Thinkpad T41p) that is lacks PAE support and forces me to […] checkmodule -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -u local.pp Save the following policy as local.te and then run the above commands to make semodule work correctly and to also allow restorecon to access the console on boot. module local 1.0; require { class chr_file { read write }; class fd use; […] Following from my 5 minute OSDC talk yesterday on 5 security improvements needed in Linux distributions I gave a 5 minute talk on installing SE Linux on Debian etch. To display the notes I formatted them such that they were in 24 line pages and used less at a virtual console to display them. The […] Today I discovered a bug in one of my programs, it called system() and didn’t correctly escape shell eta-characters. Fortunately I had written custom SE Linux policy for it which did domain_auto_trans(foo_t, shell_exec_t, very_restricted_t) so there was no possibility of damage. The log files (which were not writable by the daemon by both SE Linux […] |
||||||
